• Stars
    star
    313
  • Rank 133,714 (Top 3 %)
  • Language
    HTML
  • Created about 7 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.

META TWIN

=================================================================
 ___ ___    ___ ______   ____      ______  __    __  ____  ____
|   |   |  /  _]      | /    |    |      ||  |__|  ||    ||    \
| _   _ | /  [_|      ||  o  |    |      ||  |  |  | |  | |  _  |
|  \_/  ||    _]_|  |_||     | -- |_|  |_||  |  |  | |  | |  |  |
|   |   ||   [_  |  |  |  _  | --   |  |  |        | |  | |  |  |
|   |   ||     | |  |  |  |  |      |  |   \      /  |  | |  |  |
|___|___||_____| |__|  |__|__|      |__|    \_/\_/  |____||__|__|
=================================================================
Author: @joevest
=================================================================

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another. Note: Signatures are copied, but no longer valid.

This project is based on a technique I've used for a few years. This has been updated and modified to include copying digital signatures.

Thanks @subtee for the tweet that encouraged this project to be updated and published !!

A blog post on this topic can be found at threatexpress.com

Resources

Note: SigThief and Resource Hacker may not detect valid metadata or digital signature. This project may switch to a different tool set, but for now, be aware of potential limitations.

Install

  • Clone this project
  • Download and unzip Resource Hacker to .\src\resource_hacker\ResourceHacker.exe
  • Enjoy...

Description

A version of this project has existed for several years to help a binary blend into a target environment by modifying it's metadata. A binary's metadata can be replaced with the metadata of a source. This includes values such as Product Name, Product Version, File Version, Copyright, etc. In addition to standard metadata, sigthief is now used to copy a digital signature.

Usage

SYNOPSIS
    MetaTwin copies metadata and AuthentiCode signature from one file and injects into another.

SYNTAX
    Invoke-MetaTwin [-Source] <Object> [-Target] <Object> [-Sign] 

    Source     Source binary containing metadata and signature
    
    Target     Target binary that will be updated

    Sign       Optional setting that will add the source's digital signature   

Example

c:> powershell -ep bypass
PS> Import-Module c:\tools\metatwin.ps1
PS> cd c:\tools\metatwin\
PS> Invoke-MetaTwin -Source c:\windows\system32\netcfgx.dll -Target .\beacon.exe -Sign

More Repositories

1

malleable-c2

Cobalt Strike Malleable C2 Design and Reference Guide
1,434
star
2

domainhunter

Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names
Python
1,418
star
3

red-team-scripts

A collection of Red Team focused tools, scripts, and notes
PowerShell
1,092
star
4

random_c2_profile

Cobalt Strike random C2 Profile generator
Python
583
star
5

cs2modrewrite

Convert Cobalt Strike profiles to modrewrite scripts
Python
565
star
6

tinyshell

Python
161
star
7

aggressor-scripts

Cobalt Strike Aggressor Scripts
JavaScript
137
star
8

pasties

A collection of random bits of information common to many individual penetration tests, red teams, and other assessments
Shell
106
star
9

subshell

SubShell is a python command shell used to control and execute commands through HTTP requests to a webshell. SubShell acts as the interface to the remote webshells.
Python
73
star
10

threatbox

ThreatBox is a standard and controlled Linux based attack platform. I've used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why not? This seemed a natural evolution.
Smarty
69
star
11

invoke-pipeshell

SMB Named Pipe shell
PowerShell
62
star
12

portplow

PortPlow is a distributed port and system scanning & enumeration service. It enables the quick and automated enumeration of ports and services from multiple systems managed by a central console.
JavaScript
53
star
13

edc

Event Data Collector
Python
34
star
14

mythic2modrewrite

Generate Apache mod_rewrite rules for Mythic C2 profiles
Python
25
star
15

threat-mitigation

Threat Mitigation Strategies
22
star
16

procdot_sandbox

ProcDot Malware Sandbox
Python
19
star
17

cobaltstrike_payload_generator

Quickly generate every payload type for each listener and optionally host via HTTP.
13
star
18

threatexpress

HTML
11
star
19

redteamguide

Home of https://redteam.guide
JavaScript
9
star
20

tools

Tools
1
star